Index_S
S
SAA (Service Assurance Agent), Cisco, 334 “335
SAINT, NetRecon, 402
SANS, 391
SAs (security associations)
message integrity, 144
removing unnecessary, 125 “126
VPNs and, 140 “141
scope section, of security policy, 26
scripts
changing system configuration, 467 “468
changing system image, 453, 457
SDIO cards, 252
Secure Hash Algorithm 1 (SHA-1), 143
secure interior, 371 “385
branch/remote offices, 383 “384
building access module, 381
building distribution module, 379 “381
core module, 378
enterprise campus, 375 “377
lab module, 382 “383
management module, 381 “382
overview, 372
server module, 378 “379
system segments with VLANs, 375
trust models, 373 “375
VLANs, 372
secure perimeter
dual firewalls for DMZ, 351 “353
e-commerce access module, 366 “368
extranet access module, 364 “365
Internet module, 354 “360
multi-home firewall for DMZ, 349 “351
overview, 348
VLANs in DMZs, 353 “354
VPN remote access module, 360 “362
WAN access module, 363
wireless access module, 365 “366
Secure Socket Layer (SSL), 108 “110, 411 “412
security associations (SAs)
message integrity, 144
removing unnecessary, 125 “126
VPNs and, 140 “141
security clearances, 505
security cost justification
data gathering, 491
presenting results of risk analysis, 496
quantitative vs. qualitative risk analysis, 491 “495
risk analysis, 488 “489
threat identification, 489 “490
valuation of assets and information, 490 “491
valuation of protection, 495 “496
security incidents, 29. See also incident response
security management, 335
Security Monitor, Cisco
e-mail alerts, 99 “102
logs, 96 “97
reports , 97 “98
security policy
adhering to, 391 “393
designing, 23 “26
implementing and enforcing, 26
monitoring, 26
overview of, 20
preventing failure of, 37
prevention mechanisms in, 396 “397
protecting against all known threats, 393 “396
purpose of, 22 “23
reasons for failure of, 36
reviewing, 37, 391
role of, 20 “21
sections of, 26 “29
terminology, 22
types of, 30 “35
updating, 37
weaknesses to address, 35 “36
security posture , 398
security staff, 520
Security Team, 508
Security Tester, 508
segmentation of network with VLANs, 372 “375
self-study, 513
seminars , 512
sensors, IDS/IPS. See network sensors
server module, enterprise campus, 378 “379
servers
authentication server, 249 “250, 266, 303
Cisco Secure ACS, 287 “288, 308 “310
determining location of server resources, 7
disabling DHCP server, 257
disabling small servers on IOS devices, 164
finger server, 166
IAS server, 283 “286, 304 “308
server-based Internet content filters, 207 “210
Service Assurance Agent (SAA), Cisco, 334 “335
Service Set Identifier (SSID), 245 “246, 252 “254
SHA-1 (Secure Hash Algorithm 1), 143
show flash command, 456
show interface command, 441
signature-based detection, 77
signatures, IDS/IPS
blocking traffic with, 103
customizing prebuilt, 92 “93
disabling, 91
filtering, 91 “92
maintaining, 90
writing custom, 93 “94
Simple Network Management Protocol. See SNMP (Simple Network Management Protocol)
Single Loss Expectancy (SLE), 493
site-to-site VPNs, 108, 362
Slavasoft FSUM, 329
SLE (Single Loss Expectancy), 493
Sniffer Distributed, Network Associates, 404
SNMP (Simple Network Management Protocol)
configuring for WAPs, 255 “256
managing network devices, 171
performance management, 333 “334
problems with, 60
securing versions of, 171 “173
steps in hardening, 61 “62
upgrading system image and, 457
SNMP polling, 314
SNMP SmartScan, 314
Snort, 88 “89
spam controls, 238 “239
SPAN (Switched Port Analyzer), 86 “87, 213
Spanning Tree Protocol. See STP (Spanning Tree Protocol)
split tunneling, 151
spoofing attacks, 380
SSH
3DES/SSH compared with Telnet, 103
preventing remote administration, 42 “44
securing remote administration, 44 “48
VPNs and, 110
vulnerabilities, 394
SSID (Service Set Identifier), 245 “246, 252 “254
SSL (Secure Socket Layer), 108 “110, 411 “412
staffing. See also training
contractors, 501
increasing headcount, 500
individual roles and responsibilities, 507 “508
knowledge management, 509 “510
organizational/ group roles and responsibilities, 508 “509
outsourcing, 501
overview, 500
recruitment, 502 “505
retention, 506 “507
standards
configuration management, 330 “331, 333
function of, 22
IP address, 330
network management, 313
security policy, 20
static routes, 67 “68
storms, 203
STP (Spanning Tree Protocol)
disabling on IOS devices, 199 “200
location of, 6
preventing spoofing attacks, 380
services for, 200 “201
subnets, 6, 373 “374
support team members , CIRT, 519
SurfControl
filtering levels, 214
filtering rules, 214 “221
overview, 213 “214
reports, 221 “222
switch port, MAC addresses, 248
switched networks, IDS/IPS sensor placement, 86 “87
Switched Port Analyzer (SPAN), 86 “87, 213
switches. See also network devices (IOS)
802.1x networks, 303
authentication, 304 “310
blocking, 103 “104
Cisco Catalyst 2950 switch, 213 “214
configuring for RADIUS server, 305
DAI (Dynamic ARP inspection), 202 “203
policy, 33
port security, 201 “202
private VLANs and, 195 “196
storm control, 203
STP and, 199 “201
VACLs and, 196 “197
VLAN hopping , 194 “195
VTP and, 198 “199
Symantec, 395 “396, 402
SYN (synchronization) requests , TCP, 409
syslog. See also Kiwi Syslog
alerts for configuration management, 332
IOS devices and, 170
logs, 96
managing firewalls with, 62 “63
risks associated with, 63 “64
system configuration
automating change, 465 “472
manually changing, 464 “465
overview, 464
viewing, 442
system image
automating change, 457 “464
manually changing, 454 “456
methods for changing, 452 “453
Hardening Network Infrastructure. Bulletproof Your Systems Before You Are Hacked.
ISBN: N/A
EAN: N/A
EAN: N/A
Year: 2004
Pages: 125
Pages: 125